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scanning the decoded macro for a virus by comparing the decoded^rfacr o to the 
comparison data; 

wherein the comparison data includes a first suspect instruction identifier and a 
second suspect instruction identifier; x 

wherein the scannine the decoded macro i</determine whether it includes a 
virus comprises: 

determinine whether the decoded macro includes a first portion which 

corresponds to the first suspect instruction identifier; 

/ 

determining ^whether the decoded macro includes a second portion 
which corresponds to the second suspect instruction identifier: 

determining that the decoded macro includes the virus if the decoded 
macro/includes the first and second portions: and 

wherein the first suspect instruction identifier detects a macro virus enablement 
instruction. 

— / 






2. The method of claim /, further comprising: 

removing the virus from the macro to produce a treated macro if the step of 
scanning the decoded rpacro indicates that the macro is infected with the virus. 






if 


3. (Amended) The method of claim 1, wherein the [step of] retrieving a macro 
comprises: 

accessing a targeted file; s 
determining whether the targeted file is a template file; 
if the targeted file is not a template file, determining whether the targeted file 
includes an embedded macro; and 

if the targeted file includes an embedded macro, locating the embedded macro. 
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4. Canceled. 

5. Canceled. 
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6. Canceled. 



\^ (Amended) The method of claim 1 [6], wherein the second suspect instruction 
identifier detects a macro virus reproduction instruction. 

/> ^ (Amended) The method of claim 1 [4], wherein the [step of] removing the 
virus comprises: 

locating a first suspect macro instruction in the decoded macro which 
corresponds to the first suspect instruction identifier; and 
removing the first suspect macro instruction. 

(Amended) [The method of claim 8,] In a computer system comprising a 
processor and a memory, a method for detecting viruses in macros, the method comprising: 
obtaining comparison data including information for detecting a virus: 
retrieving a macro: 

decoding the macro to produce a decoded macro: 

scanning the decoded macro for a virus by comparing the decoded macro to t he 
comparison data: and 

removing the virus from, the macro to produce a treated macro if the step of 
scanning the decoded macro indicates that the macro is infected with the virus: 

verifying the integrity of the treated macro; and 

replacing the infected macro in a targeted file with the treated macro dependent 
upon the integrity verification of the treated macro. 



10. The method of claim 8, wherein the step of removing the first suspect macro 
instruction includes replacing the first suspect instruction with a benign instruction. 

/ 11. The method of claim 8, wherein the step of removing the virus comprises: 

locating a second suspect macro instruction in the decoded macro which 
corresponds to the second suspect instruction identifier; and 

removing the second suspect macro instruction from the decoded macro to 
produce a treated macro. 
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1 2. The method of claim 1, wherein the comparison data includes a plurality of 
sets of suspect instruction identifiers, 

— ^ 








I Oj^ (Amended) |The method of claim 12,1 In a computer systemjedmorisine a 
processor and a memory, a method for detecting viruses in macros, thelnethod comprising- 
obtaining comparison data including informatioilibT detecting a virus: 
retrieving a macro: 

decoding the macro to produce a decoded macro: 

scanning the decoded macrcvfora virus bv comparing the decoded macro to the 
comparison data: / 

wherein the comparison data includes a first suspect instruction identifier and a 
second suspect instruction identifiers: and 

wherejir'a first set of suspect instruction identifiers comprises the 

strings 73'CB 00 0C 6C 01 00 and 67 C2 80. 







14. The method of claim 13, wherein a second set of suspect instruction identifiers 
comprises the strings 73 CB 00 0C 6C 01 00 and 64 6F 02 67 DE 00 73 87 01 12 73 7F, a 
third set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 6D 
61 63 72 6F 73 76 08, a fourth set of suspect instruction identifiers comprises the strings 12 
6C 01 00 and 64 67 C2 80 6A OF 47, and a fifth set of suspect instruction identifiers 
comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6A and 80 05 6A 07 43 4F 4D. 
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I (Amended) In a computer system comprising a proc^sscfrar^ a memory, a 
/method for detecting viruses in macros, the method comprising: 
retrieving a macro; ^^^^ 

obtaining comparison data fordetecting a virus, the comparison data including 
a first suspect instruction identifier and a second suspect instruction identifier; 

scanning the macrp'to determine whether the macro includes a first portion 
which corresponds^o^the first suspect instruction identifier; 

scanning the macro to determine whether the macro includes a second portion 
which corresponds to the second suspect instruction identifier; and 
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determining that the macro is iijfitfcted with the virus if the macro includes the 
first and second portions; 

wherein the first instru^ion identifier includes the string 73 CB 00 PC 6C 01 
/ 

00 and the second suspect instruction identifier includes the string 67 C2 80 . 



16. The method of claim 15, further comprising: 

treating the macro to produce a treated macro if it is determined that the 
macro includes the first and second portions. 



1 7. The method of claim 16, wherein the step of treating the macro comprises: 

locating a first macro instruction in the infected macro which corresponds to 

the first suspect instruction identifier; and 

removing the first macro instruction from the infected macro to repair the 

infected macro. 



18. The method of claim 1 7, wherein the step of treating the macro comprises: 

locating a second macro instruction in the infected macro which corresponds 

to the second suspect instruction identifier; and 

removing the second macro instruction from the infected macro to repair the 

infected macro. 



LAW OFFICES OF 
SKJERVEN, MORRILL, 
MacPHERSON, FRANKLIN I 

&. FRIEL LLP » J J 

25 METRO DRi 
SUITE 700 I 
SAN JOSE, CA 95110 
(408) 453-9200 



1 9. The method of claim 15, wherein the step of retrieving a macro comprises: 
accessing a targeted file; and 

determining whether the targeted file is a template file; 
if the file is not a template file, determining whether the targeted file includes 
an embedded macro; and 

if the file includes an embedded macro, locating the embedded macro. 



20. 



Canceled. 



21. The method of claim 15, wherein the comparison data includes a plurality of 



V 

J sets of suspect instruction identifiers. 
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^ l&J2ff. (Amended) [The method of claim 2 1 J In a computer svstenu^omprising a 
'processor ™& a memory, a method for detecting viruses in macros, the method comprising* 




retrieving a macro; / 
obtaining comparison data for detecting a virus, thexomparison data including 
a first suspect instruction identifier and a second suspect instruction identifier- 
scanning the macro to determine whether the'macro includes a first portion • 
which corresponds to the first suspect instniction / identifier: 

scanning the macro to determine whetlier the macro includes a second portion 
which corresponds to the second suspect instruction identifier: 

determining that the macro is infected with the virus if the macro includes the 
first and second portions. / 

wherein the comparison data includes a plurality of sets of suspect instruction 
identifiers; and / 

wherein a first set^f suspect instruction identifiers comprises the strings 73 CB 
00 0C 6C 01 00 and 67,(22 80, a second set of suspect instruction comprises the strings 
73 CB 00 0C 6C 01 00 and 64 6F 02 67 DE 00 73 87 01 12 73 7F, a third set of 
suspect instmctiotfidentifiers comprises the strings 73 CB 00 0C 6C 01 00 and 6D 61 
63 72 6F 73^76 08, a fourth set of suspect instruction identifiers comprises the strings 
12 6C 01 00 and 64 67 C2 80 6A OF 47, and a fifth set of suspect instruction 
identifiers comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6 A and 80 05 6 A 07 
-=r-43^F 4D. 

pa. (Amended) [The method of claim 16,1 In a computer svstem comprising a 
processor and a memory, a method for detecting viruses in macros, the method comprising: 


retrieving a macro: 

obtaining comparison data for detecting a virus, the comparison data including 
a first suspect instruction identifier and a second suspect instruction identifier: 

scanning the macro to determine whether the macro includes a first portion 
which corresponds to the first suspect instruction identifier: 

scanning the macro to determine whether the macro includes a second portion 
which corresponds to the second suspect instruction identifier; 
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determining that the macro is infected with the virus if the macro includes the 
first and second portions: and 

treating the macro to produce a treated macro if it is determined that the macro 
includes the firs and second portions, further comprising: 

accessing a targeted file; [and] 

locating a macro within the targeted file; 

removing the macro from the targeted file; and 

adding the treated macro to the targeted file to produce a corrected file. 

/A. (Amended) An apparatus for detecting viruses in macros, the apparatus 
comprising: 

a virus information module, for storing comparison data for detecting a virus, 
the comparison data including a first suspect instruction identifier and a second 
suspect instruction identifier; [and] 

a macro virus scanning module, in communication with the virus information 
module, for receiving the comparison data and scanning a macro to determine whether 
the macro includes a first portion which corresponds to the first suspect instruction 
identifier and a second portion which corresponds to the second suspect instruction 
identifier; 

a macro locating and decoding module, in communication with the macro virus 
scanning module, for accessing a targeted file, determining whether the targeted file is 
a template file, determining whether the targeted file includes an embedded macro, 
and decoding the macro to produce a decoded macro: 

a macro treating module, in communication with the virus information module, 
for accessing the decoded macro and removing a first macro instruction which 
corresponds to the first suspect instruction identifier and a second macro instruction 
which corresponds to the second suspect instruction identifier to produce a treated 
macro: and 

a file correcting module, in communication with the macro treating module, for 
accessing the targeted file, locating the macro within the targeted file, removing the 
macro from the targeted file and adding the treated macro to the targeted file to 
produce a corrected file . 
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25. Canceled. 



26. Canceled. 



27. Canceled. 



viruses in 



J2%. (Amended) |The apparatus of claim 27 J An apparatus for detecting 
macros, the apparatus comprising: 

a virus information module, for storing comparison data for detecting a virus, 
the comparison data including a first suspect instruction identifier and a second 
suspect instruction identifier; and 

a macro virus scanning module, in communication with the virus information 
module, for receiving the comparison data and scanning a macro to determine whether 
the macro includes a first portion which corresponds to the first suspect instruction 
identifier and a second portion which corresponds to the second suspect instruction 
identifier, wherein the first instruction identifier includes the string 73 CB 00 0C 6C 
01 00 and the second suspect instruction identifier includes the string 67 C2 80. 



%0 



(Amended) The apparatus of claim / 24'[27], wherein the comparison data 
includes a plurality of sets of suspect instruction identifiers. 

^^f^ (Amended) [The apparatus of claim 29,] An apparatus for deteotimf viruses in 
macros, the apparatus comprising: 

a virus information module, for storing comparisorfclata for detecting a virus, 
the comparison data including a first suspect instruction identifier and a second 
suspect instruction identifier; and 

a macro virus scanning moduli, in communication with the virus information 
module, for receiving the comparison data and scanning a macro to determine whether 
the macro includes a first portion which corresponds to the first suspect instruction 
identifier and a second portion which corresponds to the second suspect instruction 
identifier; 
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wherein the comparison data includes a plurality of sets of suspect instruction 
identifies: and 

wherein a first set of suspect instruction identifiers comprises the strings the 
strings 73 CB 00 0C 6C 01 00 and 67 C2 80, a-second set of suspect instruction 
comprises the strings 73 CB 00 0C 6Cj9f1)0 and 64 6F 02 67 DE 00 73 87 01 12 73 
7F, a third set of suspect instruction! identifiers comprises the strings 73 CB 00 0C 6C 
01 00 and 6D 61 63 72 6^33 16 08, a fourth set of suspect instruction identifiers 
comprises the striijgs^S 6C 01 00 and 64 67 C2 80 6 A OF 47, and a fifth set of suspect 
instracticmidentifiers comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6A and 80 



^L. (Amended) An apparatus for detecting 1 



viruses in macros, the apparatus 
comprising: 

means for obtaining comparison data for detecting a virus, the comparison data 
including a first suspect instruction identifier and a second suspect instruction 
identifier; 

means for scanning the macro to determine whether a macro includes a first 
portion which corresponds to the first suspect instruction identifier; 

means for scanning the macro to determine whether the macro includes a 
second portion which corresponds to the second suspect instruction identifier; [and] 

means for determining that the macro is infected with the virus if the macro 
includes the first and second portions; 

means for accessing a targeted file and determining whether the targeted file 
includes a macro; and 

means for correcting a file, the means for correcting a file including means for 
accessing the targeted file, means for removing the macro from the targeted file and 
means for adding the treated macro to the targeted file to produce a corrected file . 
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32. The apparatus of claim 31, further comprising: 

means for locating a first macro instruction and a second macro instruction 
within the macro which respectively correspond to the first suspect instruction 
identifier and the second suspect instruction identifier; and 
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